IBM Security Briefing: Differentiators & Maturity Model

Transcription

1 IBM Security Briefing: Differentiators & Maturity Model Hamilton, Bermuda February 11, 2015 Norman John, MBA IBM Security Sales Executive Ontario & IBM Corporation

2 Why IBM Security? Our Key Differentiators IBM Corporation

3 IBM Security Experience & Expertise Security intelligence IBM Security is created Advanced fraud protection Secure mobile management Cloud-enabled identity management Identity governance Mainframe Identity Security Enterprise Endpoint and server management services single-sign-on management security Directory and network and security integration security Information and analytics management IBM Security Investment 6,000+ IBM Security experts worldwide 1,700+ IBM security patents Access management SOA management and security Application security Risk management Data management Database monitoring and protection Application security 4,000+ IBM managed security services clients worldwide 25 IBM Security labs worldwide 3

4 Analysts Consistently Rank IBM Security as Leading the Market Domain Security Intelligence Anti-Fraud People Data Applications Infrastructure Services Leading Market Segment Security Information and Event Management (SIEM) Web Fraud Detection (Trusteer) Federated Identity Management and Single Sign-On Identity and Access Governance Role Management and Access Recertification Web Access Management (WAM) Mobile Access Management Identity Provisioning Management Database Auditing and Real-Time Protection Data Masking Application Security Testing (dynamic and static) Network Intrusion Prevention Systems (NIPS)* Endpoint: Client Management Tools Endpoint Protection Platforms (EPP)* Mobile Security (Fiberlink) Managed Security Services (MSS) Information Security Consulting Services Public Cloud Service Providers Security (IBM Bluemix)* Note: Rankings compiled from Gartner, Forrester Wave, and IDC analyst reports as of January * Close runner up 4

5 IBM X-Force: The Largest Security R&D Lab in the World Backdoors Botnets Buffer Overflow Attacks Sharing real-time and anonymized threat intelligence Client Side Attacks Cross-site Scripting (XSS) Distributed Denial of Service (DDoS) Exploit Toolkits Malicious Content Peer-to-Peer Networks Protocol Tunneling Reconnaissance SQL Injection Trojans Worms IBM Security Operations Centers and Security Products X-Force Keeps Customers Ahead of the Threat Cataloging, analyzing and researching vulnerabilities since 1997 Providing zero-day threat alerts and exploit triage to IBM customers worldwide Building threat intelligence from collaborative data sharing across thousands of clients Analyzing malware and fraud activity from 270M+ Trusteer-protected endpoints 5

6 The Most Global Coverage: Crawler, Sensors, Operations, Labs IBM Security by the Numbers + monitored countries (MSS) + service delivery experts + devices under contract + endpoints protected + events managed per day 6

7 IBM Security Framework: Comprehensive, in-depth, unrivaled Intelligence, integration, and expertise across a comprehensive framework The IBM Security Framework CISO s Changing Role Key Security Trends Advanced threats Cloud Mobile Compliance Skills shortage 7

8 IBM Security Portfolio: A Family of Integrated Products 8

9 Increase security, collapse silos, and reduce complexity Integrated Intelligence. Integrated Research. Integrated Protection. Consolidate and correlate siloed information from hundreds of sources Stay ahead of the changing threat landscape Link security and vulnerability information across domains JK

10 Security Maturity Model IBM Corporation

11 Security Intelligence is enabling progress to optimized security Security Intelligence Security Intelligence Optimized: Flow analytics / predictive analytics Proficient: Security information and event management Basic: Log management Optimized Identity governance Fine-grained entitlements Privileged user management Data governance Encryption key management Fraud detection Hybrid scanning and correlation Multi-faceted network protection Anomaly detection Hardened systems Proficient User provisioning Access management Strong authentication Data masking / redaction Database activity monitoring Data loss prevention Web application protection Source code scanning Virtualization security Asset management Endpoint / network security management Basic Directory management Encryption Database access control Application scanning Perimeter security Host security Anti-virus People Data Applications Infrastructure

12 Security Intelligence is enabling progress to optimized security Security Security Intelligence Intelligence Optimized Security Intelligence Flow analytics QRadar Network Activity Monitoring (VFlow / QFlow) / Predictive analytics QRadar Risk Manager Security information and event management QRadar SIEM Log management QRadar Log Manager Identity governance Identity Manager + Role Lifecycle Manager Fine-grained entitlements Security Policy Manager Data governance InfoSphere Discovery Fraud detection Trusteer AppScan + Qradar Multi-faceted network protection IBM Network Protection (XGS) Anomaly detection QRadar Network Anomaly Detection Privileged user management Privileged Identity Manager zsecure + IM / AM.next Encryption key management IBM Key Lifecycle Manager Hybrid scanning and correlation AppScan Standard Hardened systems Host Protection Trusteer Proficient User provisioning Identity Manager zsecure Access management Access Manager / ESSO Federated Identity Manager Data masking / redaction InfoSphere Guardium Data Redaction Optim Data Masking Database activity monitoring InfoSphere Guardium Database Activity Monitor Web application protection DataPower + Network Intrusion Prevention (GX) Virtualization security Virtual Server Protection QRadar VFlow Asset management IBM Endpoint Manager Basic Strong authentication Partners + Access Manager enhancements Directory management Directory Server Directory Integrator Data loss prevention InfoSphere Guardium IBM Endpoint Manager for Core Protection Network Intrusion Prevention (GX) Encryption DB2 Encryption Expert Database access control InfoSphere Guardium Source code scanning AppScan Source Application scanning AppScan on Demand AppScan Standard AppScan Enterprise Endpoint / network security management IBM Endpoint Manager SiteProtector Host Protection Perimeter security Network Intrusion Prevention (GX) Host security RACF Host Protection Anti-virus IBM Endpoint Manager for Core Protection People Data Applications Infrastructure

13 People Manage and extend enterprise identity context across security domains with comprehensive Identity Intelligence Basic Proficient Optimized 45 60% 30 40% 10 15% Approximate % of Clients that Have Reached the Maturity Level Risk Identification Automation/Scalability/Remediation Integration/Analytics/Governance Have you rolled out an identity program? How are you managing user access to resources? Do you have automated, policy-driven identity and role based management? 1 Directory management 1 User provisioning 1 Identity governance Directory Server Directory Integrator Identity Manager Identity Manager + Governance Administration 2 Access management Access Manager /ESSO/ Federated Identity Manager 2 Fine-grained entitlements Security Policy Manager 3 Strong authentication 3 Privileged user management 13 Access Manager for Web & Mobile (MFA) Privileged Identity Manager 12-01

14 IBM Security Strategy for Identity and Access Management Manage the enterprise identity context across all security domains 14

15 Data Enterprise-wide solutions for helping secure the privacy and integrity of trusted information in the data center Basic Proficient Optimized 50 70% 20 30% 5 10% Approximate % of Clients that Have Reached the Maturity Level Risk Identification Automation/Scalability/Remediation Integration/Analytics/Governance Have you classified and encrypted sensitive data? Do you know if sensitive data leaves your network? Can you monitor (privileged) access to data? 1 Encryption 1 Data masking / redaction 1 Data governance DB2 Encryption Expert InfoSphere Data Redaction / Optim Data Masking InfoSphere Discovery 2 Database access control 2 Database activity monitoring 2 Encryption key management InfoSphere Guardium Database Activity Monitor IBM Key Lifecycle Manager 3 Data loss prevention 15 IBM Endpoint Manager for Core Protection + Next Gen Network Intrusion Prevention (XGS) 12-01

16 Applications Help identify and remediate application vulnerabilities in both source code and live Web applications Basic Proficient Optimized 50 70% 20 30% 5 10% Approximate % of Clients that Have Reached the Maturity Level Risk Identification Automation/Scalability/Remediation Integration/Analytics/Governance Do you have a secure application development process? Are you regularly testing your website for vulnerabilities? Can you test legacy applications for exposures? 1 Application scanning 1 Web application protection 1 Fraud detection AppScan Standard Next Gen IPS (XGS) AppScan + QRadar 2 Source code scanning AppScan Source 2 Hybrid scanning and correlation AppScan Source + Enterprise

17 Application Security: Using AppScan for Vulnerability Assessments Audience Development teams Security teams Penetration Testers Software Development Lifecycle Scanning Techniques CODING BUILD QA SECURITY PRODUCTION Static analysis (white box) Dynamic analysis (black box) Applications Programming Languages Web Applications Web Services Mobile Applications Purchased Applications Governance and Collaboration Test policies, test templates and access control Dashboards, detailed reports and trending Manage regulatory requirements such as PCI, GLBA and HIPAA (40+ out-of-the-box compliance reports) Integrated Build Systems improve scan efficiencies Defect Tracking Systems track remediation IDEs remediation assistance Security Intelligence raise threat level Key Themes Coverage for Mobile applications and new threats Continue to identify and reduce risk by expanding scanning capabilities to new platforms such as mobile, as well as introducing next generation dynamic analysis scanning and glass box testing 17 Simplified interface and accelerated ROI New capabilities to improve customer time to value and consumability with out-of-the-box scanning, static analysis templates and ease of use features Security Intelligence Integration Automatically adjust threat levels based on knowledge of application vulnerabilities by integrating and analyzing scan results with SiteProtector and the QRadar Security Intelligence Platform

18 Infrastructure Help guard against sophisticated attacks with insight into users, content and applications; help endpoints, servers, and mobile devices remain compliant, updated, and protected Basic Proficient Optimized 1 5% 75 85% 5 10% Approximate % of Clients that Have Reached the Maturity Level Risk Identification Automation/Scalability/Remediation Integration/Analytics/Governance Are you providing basic threat management for all endpoints and network devices? Do you perform proactive threat and vulnerability management protection? Is security built into new initiatives (e.g., Cloud, Mobile)? 1 Perimeter security 1 Virtualization security Firewall Virtual Server Protection QRadar Vflow (netfow) 1 Multi-faceted network protection IBM Next Gen Intrusion Prevention System (XGS) 2 Host security 2 Asset management 2 Anomaly detection Host Protection IBM Endpoint Manager MaaS360 QRadar Network Anomaly Detection 3 Anti-virus IBM Endpoint Manager for Core Protection Trusteer Apex 3 Endpoint / network security management IBM Endpoint Manager + IBM Next Gen Intrusion Prevention System (XGS) 3 Hardened systems Host Protection Trusteer Apex

19 Behavioral Detection Powered by X-Force Research Behavioral Detection Blocks Known and Unknown Attacks X X X Virtual Patch Application Control Client-side Application Protection Web App Protection Network and User Policies Reputation Web App Management Network Visibility Ahead-of-the-threat extensible protection backed by the power of X-Force 19

20 IBM Security Network Protection (XGS) Unprecedented levels of network security, visibility and control Protection from sophisticated and constantly evolving threats Behavioral detection fights 0-day attacks Protects against entire classes of vulnerabilities Discover and disrupt previously unknown threats on the network Shows application and web use by user Detects and blocks malicious traffic Policy-based monitoring and blocking 20B URL database now includes Trusteer Seamless deployment and integration Flexible performance, interfaces and options Ability to send flow data feeds to QRadar Receive quarantine triggers from QRadar ENHANCED NEW Ranked 2 nd out of 10 IPS vendors for blocking exploits in 2013 group test Received ICSA certification for Network IPS and PAM engine in 2013 Provided superior protection from mutated threats vs. SNORT engine Ranked Champion in latest IDPS vendor landscape report...ibm performed extremely well in this testing, achieving an overall score of 95.7%. This speaks to the ability of the IBM IPS to perform against the types of constantly evolving threats that are often seen in today s networks. Source: Vikram Phatak, Chairman and CEO of NSS Labs IBM Corporation

21 Security Intelligence and Analytics Helping customers optimize security with additional context, automation and integration Basic Proficient Optimized 50 70% 20 30% 5 10% % of Clients that Have Reached the Maturity Level Risk Identification Automation/Scalability/Remediation Integration/Analytics/Governance Are meeting compliance and reporting requirements? Can you correlate events across domains and detect advanced threats? Can you identify active attack paths and high-risk assets? 1 Log management 1 Security information and event management QRadar Log Manager QRadar SIEM 1 Flow analytics QRadar Network Activity Monitoring (VFlow / QFlow) 2 Predictive analytics QRadar Risk Manager

22 Security Intelligence: Integrating across IT silos Security Intelligence and Analytics Security devices Servers and mainframes Network and virtual activity Data activity Application activity Configuration information Vulnerabilities and threats Correlation Logs/events Flows IP reputation Geographic location Activity baselining and anomaly detection User activity Database activity Application activity Network activity Offense identification Credibility Severity Relevance True offense Suspected incidents Users and identities Extensive data sources Deep intelligence + = Exceptionally accurate and actionable insight 22 Key Themes Increased Data Sources Data from 450+ security collectors and Integration with X-Force intelligence and other external feeds to use in analysis for determining relevant vulnerabilities and potential threats Integrated Vulnerability Management Comprehensive understanding of the configuration and exposure of systems in the environment, enabling contextual analysis to determine vulnerabilities against particular threats Enhanced Identity Context V13-03 Integrated understanding of users, their roles, level of privilege, geographical location and their typical behaviors to enable enterprises to identify abnormal activity that might indicate insider threat

23 PCI Compliance IBM Corporation

24 Achieving PCI Compliance Tools Monitoring GRC Assessments Controls Program 24 2

25 IBM Payment Card Industry (PCI) Advisory Services Protect cardholder data and achieve PCI 1 compliance IBM s PCI compliance approach A Qualified Security Assessor (QSA) helps provide expert advice on definition and validation of PCI scope, remediation planning and compensating controls with acquiring institutions or card brands Customized assessment that helps determine your current compliance level and identify steps to avoid audit fatigue while addressing specific remediation requirements Provides required documentation for PCI-DSS 2 version 3.0 examinations PCI gap assessment, PCI Report on Compliance (RoC), self-assessment questionnaire, and attestation on compliance Globally deployed services - IBM is a QSA, approved scanning vendor (ASV), payment application qualified security assessor (PA-QSA) and a payment card industry forensic investigator (PFI) Leverages IBM s own experience in achieving PCI compliance across its own global businesses 1 PCI = Payment Card Industry 2 PCI-DSS = PCI Data Security Standards

26 Exceeding PCI Compliance with IBM Security Solutions 26 2

27 IBM Security Solutions & PCI Compliance PCI Point Item Description 1,2 IPS for Perimeter and Core XGS Network Protection Appliance - Next Gen IPS 1,2,3,4,6,7,8, QRadar All-in-one Appliance, QRadar Risk 10,11 SIEM Manager, QRadar Vulnerability Manager 1, 2, 5, 6 Mobile Device Controls IBM MaaS 360 5,6 Anti-Malware IBM Endpoint Manager for Core Protection 5,6 Application Scanning IBM AppScan Standard 3,6,7,8,9,10 Identity Management Privileged Identity Manager 3,4 Data Protection Security Key Lifecycle Manager Guardium Database Activity Monitor & Optim Data 3,4 Data Protection Masking 12 Policy Enforcement Open Pages GRC platform for PCI Compliance 27 2

28 PCI Compliance Zone: Segregation, Monitoring, Control Untrusted Internet DMZ External Users Firewall Perimeter IPS Public Internet AppScan Online & Mobile Banking Application 5 6 External APIs Using PCI Data 5 11 Core IPS Trusted Intranet File Servers Database Servers Employee Access Privileged ID Manager Anti-Malware Servers IBM Endpoint Manager 5 Security & Compliance Systems QRadar1-4,6,7 8,10-12 Storage Library 3 4 Key Lifecycle Manager 28

29 IBM Security Services IBM Corporation

30 IBM Advanced Threat Assessment (ATA) Uncover indicators of compromise and hidden threats Data Collection & Reconnaissance Targeted External Testing Internal Scanning & Analysis Reviews & Interviews Reporting & Briefing Coordinated Attack Simulation Targeted penetration testing helps identify vulnerable systems and applications from an attacker s perspective, conducted with broad coverage or using a customized and simulated events. An on-site coordinator assists with validating that detection mechanisms are successfully detecting malicious activity. Tool based APT Forensic Scanning Checks for the presence of behavioral Indicators of Compromise (IOCs) frequently seen with intrusions indicating a currently active but previously unknown compromise. Memory (RAM) Analysis For systems identified with suspicious activity, a remote memory (RAM, volatile data) analysis may be done looking for common malware traits. System Log Analysis Logs from firewalls, IDS/IPS devices, Network AV servers, DNS and other systems can help reveal IOCs of an intruder or the presence of malware. Critical Controls Review Assessment of the level of implementation of SANS Top 20 Critical Security Controls helps to develop an overall security strategy. 30

31 IBM Threat Management and Analysis Service NEW A First of a Kind partnership with IBM and AT&T Transform the network security infrastructure with strategic consulting & optimization, cloud delivered services and integrated threat monitoring Control costs by transitioning from capital to operating expenditures Minimize the demand to identify and retain security experts Reduce risk through global threat intelligence, managed security services and emergency response services IBM Network & Security Optimization Consulting AT&T Secure Network Gateway IBM Security Monitoring & Threat Intelligence IBM Emergency Response Services Gain the flexibility to meet unique security and financial demands Best of breed approach through strategic partnership between two leaders in security & telecom 31

32 Managed Security Information and Event Management Security optimization with advanced threat detection Multiple offering packages to ensure flexibility flexible service levels to support less demanding and also mission critical environments Security Operations Optimization IBM Security operations consultants help design and deploy an advanced world-class SIEM for your organization Prices do not vary simply because you upgrade your technology or increase bandwidth. Real-time monitoring provides 24x7 security awareness, ensuring that attackers never have an after-hours advantage Comprehensive incident escalation and reporting are designed to meet stringent audit requirements and optimize investigation Industry-leading service level agreements for incident response, change management, system monitoring, solution availability and content updates SSAE-16 certified Security Operations infrastructure is maintained to meet strict industry standards Support for leading SIEM vendors including IBM own QRadar 32

33 IBM Emergency Response Service (ERS) Prepare for and withstand sophisticated attacks Post-Incident Analysis Containment, Eradication, and Recovery Incident Planning BE READY Incident Triage Proactive Preparation Periodic Reviews 24x7x365 emergency response provides access to key resources that can enable faster recovery and reduce business impact from incidents Each incident investigation is handled with proven methodology and advanced tools to provide forensic level details and to prevent reoccurrence Periodic review and incident case management enable a broader view and deeper understanding of incidents using intelligence data and analytics Preemptive incident preparation services reduce risk and exposure to cyber threats ahead of an attack An ERS subscription includes Initial planning workshop 120 hours per year for incident response or proactive services Quarterly updates and remote support Access to X-Force Threat Analysis Service Worldwide, around-the-clock coverage Cross-platform support from mainframe to mobile 33 33

34 IBM Security: Helping clients optimize IT security Integrated Portfolio Managed and Professional Services Extensive Partner Ecosystem IBM Research 34

35 Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY 35 Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

36 Appendices IBM Corporation

37 People & Identity Security Controls Domain Maturity Level Control Control Definition Basic Directory management Deployment of a single or multiple enterprise user database, traditionally in the form of an LDAP or X.500 directory that are used by one more than application, system and/or component as it's only repository for user information. Strong authentication Controls that allow the ability to extend authentication mechanisms built into application to provide additional levels of assurance around user credentials through support for additional authentication mechanisms / channels. People Proficient Access management User provisioning The ability to manage access decisions through a centralized infrastructure across all applications including single sign on, self service, centralized access policy management and policy distribution etc. The ability to consume / provide IT services from 3rd Parties such as business partners, SaaS providers etc. based on an established trust model between the 2 parties and without mandating the necessity to share multiple copies of the entire user repository across both organizations. Managing the entire user lifecycle within the organization from a centralized infrastructure that includes ability to manage workflows, compliance and audit requirements, self service capabilities, etc. Privileged user management Controls established in place to manage the access and use of shared accounts within a system including system accounts and accounts with elevated privileges while retaining the ability to track usage and establish tasks performed directly to an individual person. Optimized Fine grained entitlements Controls that allow for discrete entitlement and security policy enforcement using a centralized infrastructure based on standards such as XACML. Identity governance Establish mechanisms to manage enterprise wide role definitions and consume them within the user lifecycle management processes as well as within centralized access management infrastructures, hence providing a complete governance level view of how organization is mapped across multiple IT systems in terms of user access and privileges. 37

38 Data Security Controls Domain Maturity Level Control Control Definition Basic Database access control Encryption Data loss prevention The ability to restrict access to information within structured data repositories using security controls available within those data repositories. Control to ensure confidential data is not readable or legible without going through a special process that is only feasible for trusted parties irrespective of the location of the data and whether it is at rest or in motion. Putting enforcement controls to monitor consumption of data and prevention of leakage of confidential data from within the organization across all endpoints and network interfaces. Data Proficient Database activity monitoring Control to monitor activities across data repositories and provide the ability to measure compliance to security standards and policies. The ability to enforce data security controls and data access controls across all data repositories enterprise wide using a centralized data access enforcement infrastructure. Data masking / redaction Mask or remove sensitive data from documents, forms, and files in real time and in nonproduction environments. Encryption key management Simplify, centralize, and automate the encryption key management to help minimeze the risk of loss or breach of sensitive information Optimized Data governance The required capabilities to manage the entire lifecycle of a piece of data from creation, consumption, retention up to destruction and enforce consistent security controls and measures across the entire lifecycle. 38

39 Application Security Controls Domain Maturity Level Control Control Definition Basic Application scanning The ability to perform a black box or glass box test (dynamic scanning) across the user interface of an application to identify security issues and loopholes within the applications. It is also commonly referred to as DAST. Applications Proficient Source code scanning Web application protection Mechanism to perform detailed analysis of source code to identify potential security implementation issues within the code at any given phase of the SDLC. It is also referred to as white box testing or SAST. The ability to automatically perform a dynamic scan on a Web application to detect and alert on vulnerabilities such as SQL injection or cross site scripting (XSS) in the application in a production environment. Hybrid scanning and correlation The ability to have black-box (dynamic) and static analysis working together, with the static analysis using information that can only be collected dynamically during URL page crawling Optimized Fraud detection The ability to implement security mechanisms and controls within applications and systems that provide the capability to monitor malicious or invalid transactions with the aim of defrauding / cheating an organization of its resources and to eventually help prevent such transactions from occurring. 39

40 Infrastructure Security Controls Domain Maturity Level Control Control Definition Anti-virus The ability to detect and eliminate known infections within the endpoint which can lead to a security compromise of the endpoint or the entire IT network. Basic Host security Host-based security measures such as anti-virus applications, host-based firewalls, automatic patch download and/or installation, etc. Perimeter security The ability to inspect and analyze inbound and outbound packets for malicious content or behaviors and block those packets. Endpoint / network security management The mechanism to monitor and ensure continuous enforcement of security related configuration and state as well as compliance directives on the endpoint / network. Infrastructure Proficient Asset management Virtualization security The ability to use a repository of information regarding all the different network layer equipment / devices within the IT organization (e.g., routers, switches, firewalls, VPNs, load balancers) to manage those resources. The repository provides a full current inventory and state picture of the network equipment in concern that can include OS installed, patch levels, etc. Security controls that manage the security of a virtualized environments to ensure all virtualized systems are able to meet the minimum compliance standards and security standards within the organization, manage lifecycle of virtual machine instances as well as ensure the security and integrity of the hypervisor layer within the virtualized environment. Anomaly detection A mechanism to understand and create a baseline for the regular behavior of the network in terms of bandwidth utilization, type of packet distribution, source / destination distribution etc. and to detect deviations from these baselines to detect potentially unidentified security compromises within the network infrastructure. Optimized Multi-faceted network protection The ability to integrate and extend the capabilities of traditional network IPS with security threat management capabilities such as layer 7 application level network traffic management, ability to integrate with user directories within enterprise to provide enhanced network threat mitigation within the network layer all the way up to the application layer. 40

41 Security Intelligence & Analytics Security Controls Domain Security Intelligence & Analytics Maturity Level Control Control Definition Basic Proficient Optimized Log management Security information and event management Flow analytics / predictive analytics A mechanism to collect log information from all the different sources across the it enterprise and store it in a centralized manner that is tamper proof such that it can be used to detect security threats as they occur through the use of an additional correlation engine or for investigative purposes as part of an incident management process. Tool that enables an organization to parse through all relevant security related information and events in real time from sources such as log files, network packet captures, vulnerability management systems, etc. and correlate across all of these information sources to identify security threats as they are occurring within the organization and help in their investigation. The collection and detailed classification of network behavior, as well as the ability to correlate network activity against log events and other security activities across your entire network. Predict the risk impact of network changes, including new application and infrastructure deployments through enhanced security modeling and simulations 41